CheckPoint recently published a new report that chronicled the UAE threat landscape over the past six months. In the report, the company identified that the most common vulnerability exploit type was Remote Code Execution RCE, which impacted 62% of businesses.
This finding is not at all surprising. From an attacker’s perspective, an RCE vulnerability in a workload – a workload being the infrastructure on which data center software runs– is the gift that keeps on giving, in countless attacks, not only in the UAE but across the globe.
Very early and automated protection in response to an RCE attack is essential for effective enterprise protection
RCE vulnerabilities were also the root cause of the Hafnium and Kaseya attacks. Very early and automated protection in response to an RCE attack is essential for effective enterprise protection.
When a craftily constructed payload is delivered to an application with a lurking RCE vulnerability, the application relinquishes execution control to the attacker. The application is said to have reached the exploitation state in the cyber kill chain.
RCE vulnerabilities were also the root cause of the Hafnium and Kaseya attacks.
Wresting execution control from an application allows the attacker to not only install more tools required to perpetuate the attack but also establish a two-way communication path back to the attacker’s command control center. At this point, the attacker has achieved full keyboard control on the victim.
Now the victim workload is totally at the attacker’s mercy and can perform any malicious action of the attacker’s choosing. These actions could include running ransomware, exfiltrating critical data, scraping user credentials, pivoting to other workloads, perform crypto mining activities, join a botnet.
Once they are in the enterprise data center, the attack metastasises in seconds
It is often said that adversaries use the same techniques repeatedly. Assuming threat actors will leverage the same techniques continuously is not only naïve but is also a little self-serving for classes of cyber security products that leverage signatures and threat feeds. Most adversaries are well funded, skilled, motivated, and highly effective.
All they need is early awareness of an RCE vulnerability and an enterprise that is hosting the vulnerable application. Once they are in the enterprise data center, the attack metastasises in seconds. If the attacker is able to reach the Command-and-Control state in the kill chain, there is going to be no stopping the adversary.
Most adversaries are well funded, skilled, motivated, and highly effective
RCE Vulnerabilities are particularly potent against conventional endpoint, perimeter, and threat hunting security tools. Even though these security tools claim they work in the application’s runtime, their runtime clock starts after the attack has reached the Actions on Objectives state in the kill chain; long after the attacker has achieved keyboard control over the victim workload.
If the attacker is able to reach the Command-and-Control state in the kill chain, there is going to be no stopping the adversary
These security tools work by tracking how many anomalous activities have occurred over a fixed period of time. They declare the victim is under attack if a pre-defined threshold of anomalous activities is exceeded. A skilled attacker can float under the radar and be able to totally bypass protection offered by conventional security tools.
At SolarWinds, the attack continued unabated from September 2019 to Dec 2020 15 months before a security vendor published a specific indicator of compromise IOC.
To achieve true protection against an attack that leverages an RCE vulnerability, the security control must kickstart protection before the attack reaches the Command Control stage of the kill chain. An attack that has crossed the Command Control C2 stage of the kill chain is unstoppable. Irreparable harm is guaranteed to occur.
Conventional security tools do not work against RCEs. True Protection can only be achieved if the security control can detect an attack at the Exploitation stage of the kill chain and launch protection action before the attack reaches the C2 Stage of the kill chain.
From an attacker’s perspective, an RCE vulnerability in a workload, is the gift that keeps on giving countless attacks, in the UAE and across the globe.